I don’t have many AUR packages installed, but graalVM JDK8 was one of them and infected, and I did a paru update recently. Fortunately (looking at my update history) it wasn’t upgraded, so the package must not have been compromised just yet. Or maybe already rolled back, not sure.
I narrowly doged a similar bullet with PyTorch nightly from PyPi, not that long ago.
…It’s a good lesson, I guess. Shrink my AUR list to the absolute bare minimum, small enough to check pkgbuikds closely, and uninstall npm.
EDIT: And freaking use Docker and Flatpak, and partition my finances.
Holy heck, I barely dodged this.
I don’t have many AUR packages installed, but graalVM JDK8 was one of them and infected, and I did a paru update recently. Fortunately (looking at my update history) it wasn’t upgraded, so the package must not have been compromised just yet. Or maybe already rolled back, not sure.
I narrowly doged a similar bullet with PyTorch nightly from PyPi, not that long ago.
…It’s a good lesson, I guess. Shrink my AUR list to the absolute bare minimum, small enough to check pkgbuikds closely, and uninstall npm.
EDIT: And freaking use Docker and Flatpak, and partition my finances.